No description
Find a file
William Carroll f926b4d61a Expose secrets to Monzo / YNAB service
Here is my first attempt to manage secrets when I deploy onto a NixOS machine.

Background: When I develop, I use direnv, which reads an .envrc file in which I
define my secrets. My secrets are read from `pass` using a pattern like this...

```shell
secret_value="$(pass show path/to/secret)"
```

...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which
asks me for a password to authenticate. This means that when I cd into a
directory with an .envrc file using this pattern, I may be prompted by GPG for a
password. When I'm not, it's because gpg-agent is still caching my
password. This works for development, but I currently do not know how to use
direnv for deployments.

Here is what I'm using until I find a more convenient solution:
- Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets
  directory and its contents are only readable by root.
- Use systemd's Environment and NixOS's builtins.readFile to read the files in
  /etc/secrets when I can `sudo nixos-rebuild`.

Ideally I could call a function like `builtins.readFromPasswordStore` within
configuration.nix. This would allow me to skip the step where I run...

```shell
> ssh socrates
> pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id
> pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret
> # etc
```

...I don't know how to manage secrets using NixOS, but at least this is one
answer.
2020-02-23 19:32:49 +00:00
advent-of-code Splice ./universe directory into ./ 2020-01-29 14:43:20 +00:00
blog Add deploy.nix to blog 2020-01-31 16:30:56 +00:00
clojure Rename dotfiles -> briefcase 2020-01-31 15:27:48 +00:00
configs Converge naming of Acer laptop to "socrates" 2020-02-22 19:04:12 +00:00
deploy Rename docker -> deploy 2020-01-31 16:29:22 +00:00
emacs Converge naming of Acer laptop to "socrates" 2020-02-22 19:04:12 +00:00
fish Alias systemctl 2020-02-16 22:09:47 +00:00
go Practice concurrency in golang 2020-02-10 10:06:40 +00:00
gopkgs Tidy up structure of briefcase 2020-02-12 16:58:29 +00:00
haskell-file Splice ./universe directory into ./ 2020-01-29 14:43:20 +00:00
java Splice ./universe directory into ./ 2020-01-29 14:43:20 +00:00
lisp Rename dotfiles -> briefcase 2020-01-31 15:27:48 +00:00
mail Begin supporting notmuch in Emacs 2020-02-13 18:32:26 +00:00
monzo_ynab Begin work on YNAB client 2020-02-10 23:24:33 +00:00
nixos Expose secrets to Monzo / YNAB service 2020-02-23 19:32:49 +00:00
org Read PG's Lisp for Web-Based Applications 2020-02-21 19:47:54 +00:00
scratch Solve InterviewCake's inflight-entertainment problem 2020-02-21 11:30:01 +00:00
third_party Tidy up structure of briefcase 2020-02-12 16:58:29 +00:00
tools Nixify simple_vim idea 2020-02-12 18:05:32 +00:00
travel_hitlist Sort items in travel_hitlist 2020-02-10 11:57:18 +00:00
.envrc Support lorri 2020-02-07 11:01:24 +00:00
.gitignore Attempt to support TypeScript for coding challenges 2020-02-11 17:11:19 +00:00
default.nix Tidy up structure of briefcase 2020-02-12 16:58:29 +00:00
elisp-conventions.md Massive configuration overhaul 2019-12-24 15:21:34 +00:00
keybindings.md Massive configuration overhaul 2019-12-24 15:21:34 +00:00
Makefile Rename dotfiles -> briefcase 2020-01-31 15:27:48 +00:00
README.md Rename dotfiles -> briefcase 2020-01-31 15:27:48 +00:00
shell.nix Support lorri 2020-02-07 11:01:24 +00:00
snippets.md Massive configuration overhaul 2019-12-24 15:21:34 +00:00
utils.nix Move move .emacs.d out of configs/shared 2020-01-30 16:00:29 +00:00

briefcase

Welcome to my briefcase: my monorepo.

I'm attempting to amass a collection of packages that span a variety of languages while minimizing the costs of sharing the code. This also includes configuration for things like emacs, tmux, ssh, and other tools.

Installation (Deprecated)

The installation instructions here are deprecated. I'd like to manage packaging and installing with Nix, but that is only partially supported at the moment.

wpgtk and gvcci

$ apti python-pip3
$ gclone deviantfero/wpgtk
$ cd ..
$ gclone FabriceCastel/gvcci
  • TODO: Integrate Emacs themes into wpgtk.
  • TODO: Integrate Vim themes into wpgtk.
  • TODO: add these to the install script
$ ln -s ~/Dropbox/.password-store ~/.password-store
$ ln -s ~/Dropbox/bin ~/bin
$ import_gpg $DOTFILES/configs/shared/gpg/.gnupg/exported
  1. Clipmenu

Clipmenu is a service to store a history of copied strings.

Install it as:

$ cd ~/programming && g clone cdown/clipmenu
  • TODO: Include ~/.config/systemd/user in configs/shared.
  • TODO: Obviate installation.

Ensure that it runs on startup:

$ cd ~/programming/clipmenu
$ cp clipmenu clipmenud clipdel ~/bin # You may not need to do this step.
$ vim init/clipmenud.service
# Change the ExecStart line to point to ~/bin/clipmenud
$ cp init/clipmenud.service ~/.config/systemd/user/clipmenud.service
$ systemctl --user start clipmenud
$ systemctl --user enable clipmenud # This step may be optional.
$ reboot
$ systemctl --user status clipmenud # Verify installation worked.
  1. Install Dropbox
$ cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" | tar xzf -
$ crontab -e # add the following line...
@reboot ~/.dropbox-dist/dropboxd 2>&1 >/tmp/dropbox.log
$ reboot            # 1/3 verify installation
$ pgrep dropbox     # 2/3 verify installation
$ dropbox.py status # 3/3 verify installation
  1. Authorize computer to access GitHub
$ ssh-keygen -t rsa -b 4096 -C 'wpcarro@gmail.com'
$ eval $(ssh-agent -s)
$ ssh-add ~/.ssh/id_rsa
$ xclip -sel clip <~/.ssh/id_rsa.pub
$ browse github.com # paste ssh public key in settings
  1. Install Vundle, nix-env
$ ln -s ~/Dropbox/Vundle.vim ~/.config/nvim/bundle/Vundle.vim
$ cat ~/Dropbox/install_nix.sh | sh
$ for p in $(cat nix-env.txt); do
>   nix-env -i "$p"
> done
  1. Install dotfiles
  • TODO: include steps 2-4 in the make install command.

Missing the following dependencies:

  • stow
  • neovim
  • bat
  • exa
  • fasd
  • opam
  • ghcup
  • ripgrep
  • fzf
  • fd
  • hub
  • pass
$ cd ~/Dropbox/dotfiles
$ DOTFILES="$(pwd)" make install
  1. Install Node dependencies

For now, this deserves its own section since it isn't automated.

$ gclone tj/n       # clone repo
$ sudo make install # build from source
$ n stable          # install the stable version of node
  • TODO: support dependencies like terminal themes

SSHFS

TODO: add explanation about unison, rsync, etc.

SSHFS enables seamless file transfers from your local machine to a remote machine.

Usage

Assuming your remote machine is configured in your ~/.ssh/config (see above), you can mount your remote machine's home directory on your local machine like so:

$ mkdir ~/ec2
$ sshfs ec2:/home/ubuntu ~/ec2 -o reconnect,follow_symlinks

Now your remote machine's home directory can be accessed using the ~/ec2 directory. This directory can be treated as if it were an ordinary local directory. To illustrate how easy it is to use, let's install Vundle onto our remote machine.

$ git clone https://github.com/VundleVim/Vundle.vim.git ~/ec2/.vim/bundle/Vundle.vim

Voila! We now have Vundle installed on our ec2 instance without needing to manually SSH into that machine.

GnuPG

To install GPG run the following:

$ import_gpg

TODO: create a job that runs this periodically.

$ export_gpg

Reference

- sec: secret key
- pub: public key
- ssb: secret sub-key
- sub: public sub-key

Terminals and Fonts

Any terminal or font I choose should pass the following checks:

$ test_true_color
$ test_16_colors
$ test_text_formatting
$ test_unicode
$ test_emojis

Ligatures

If using a font with ligature (e.g. Hasklig) assert that your terminal also support ligatures.